Beyond Benchmarking:
How Should Law and
Corporate Compliance
Intersect?
MICHELE DESTEFANO
FOUNDER, LAWWITHOUTWALLS
Associate Professor of Law, MiamiLaw
Program on the Legal Profession
13 November 2012

Corporations Around the Globe
Are Facing a HUGE challenge
11/14/2012 DeStefano 3

Despite the current freeze
on legal expenditure
corporations
are having to
invest
HEAVILY
in compliance
...
11/14/2012 DeStefano 4

. . . in managing the legal risk of business
11/14/2012 DeStefano 5

Questions?Questions?Questions?
Where does legal How Is Compliance
end and compliance Managed and by
start? Whom?
Who Should
be
Responsible
for
Compliance?
And What about Ethics and Corporate Culture?
11/14/2012 DeStefano 6

In large publicly traded corporations,
*historically*
the compliance department
was part of the legal department
...
Overseen or even run by
the chief legal officer
...
11/14/2012 DeStefano 7

In many respects,
this is
still true
today
11/14/2012 DeStefano 8

Many corporate practices, and mandates put
compliance in the hands of lawyers . . .
11/14/2012 DeStefano 9

Practice/Mandates/Guidelines
ABA Task Force on 46% of ACCA survey
Corporate
Responsibility respondents claim
recommended that that Compliance was
general counsels ultimately overseen
oversee compliance
(with direct oversight by the GC or the GC
by the Board) serves as the CCO
MR 1.13 and SOX §307 puts the GC
in role of whistle blower/gatekeeper
11/14/2012 DeStefano 10

Recently, this has begun to . . .
11/14/2012 DeStefano 11

Although the government
(e.g., OIG of the SEC and the DHHS)
does not
*require*
that corporations
separate
the compliance and legal functions
...
11/14/2012 DeStefano 12

...
their
unofficial
stance
is
that
they
*should*
11/14/2012 DeStefano 13

Indeed,
the SEC and the DHHS
have forced corporations
that have misbehaved
to do
just
that
...
11/14/2012 DeStefano 14

To develop
distinct
Compliance Departments
And
designate
a Chief Compliance Officer
*that does NOT report to the GC/CLO*
and that has
direct access
to the Board
11/14/2012 DeStefano 15

Consider
the
following
Four
examples
11/14/2012 DeStefano 16

2004 – Medicaid Pricing Fraud
11/14/2012 DeStefano 17

In its Corporate Integrity Agreement (CIA),
Schering-Plough had to
pay $293M,
establish a hotline,
revise corporate conduct code/training
and
designate a CCO
to report directly to the CEO or President
*and NOT the GC*
with direct access to the Board
11/14/2012 DeStefano 18

2004 – Fraudulent Revenue Projection
11/14/2012 DeStefano 19

In settlement,
Quest
agreed to
pay $250M,
and
create a CCO position
that would
*report directly*
to the CEO
with direct access
to the Board
11/14/2012 DeStefano 20

2009 – Illegal Promotion of Drug Uses
11/14/2012 DeStefano 21

Pfizer paid $2.3 BILLION,
plead guilty to a
felony criminal violation,
and signed a 5-year CIA
mandating
that it create a hotline,
heighten training,
And designate a CCO
that would not be
subordinate to the GC/CLO
and would have direct access
to the Board
11/14/2012 DeStefano 22

2010 – Insider Trading Investigation
11/14/2012 DeStefano 23

To appease,
the SEC created
a “real”
and singular
compliance department
with oversight
by one
designated CCO
11/14/2012 DeStefano 24

In Sum, the reaction by the DDHS
and SEC has been to
11/14/2012 DeStefano 25

To emphasize
the structure,
management,
policies,
and programs
around compliance
11/14/2012 DeStefano 26

To demand
that
malfeasant
corporations
separate
compliance
from the
legal department,
11/14/2012 DeStefano 27

Designate a CCO
that is
not also
the GC
and
does not
report to
the GC
11/14/2012 DeStefano 28

And
that has
direct access
to the
Board
Of
Directors
11/14/2012 DeStefano 29

This Reaction is Consistent with
Recent Laws and Recommendations
SECs Compliance Federal Sentencing
Rule 2004 requiring Guidelines defining
each SEC registered what is an effective
investment compliance program
company/advisor to and providing extra
designate a CCO to credit for corporations
oversee compliance that designate separate
and report directly to CCOs with direct
the Board reporting to the board
Guidelines by Professional Associations (OIG/ILA)
recommending the same
11/14/2012 DeStefano 30

And more and more corporations
seem to be following suit
11/14/2012 DeStefano 31

Over the past few years,
in the wake
of corporate scandals
that span industries
e.g., pharma,
insurance,
financial services,
health care,
consumer products,
11/14/2012 DeStefano 32

There
appears
to be
an
emerging
trend
11/14/2012 DeStefano 33

to separate
the
compliance function
from
the legal department
and create
new
distinct
compliance departments
11/14/2012 DeStefano 34

compliance departments
largely led
and comprised of
non-lawyers
and
non-practicing lawyers
that report directly to the CEO
and
have direct access
to the board
11/14/2012 DeStefano 35

Why and Should This Be So?
Why Have Organizations
Adopted this new stance
on the
organizational structure of
compliance?
AND
Is this Best Practice?
11/14/2012 DeStefano 36

Questions?Questions?Questions?
Do Inhouse Lawyers
- when they work
in the legal department -
somehow impair
ethics and compliance?
11/14/2012 DeStefano 37

Questions?Questions?Questions?
Are lawyers
– acting as lawyers –
less able to prevent,
uncover,
and stop
malfeasance?
11/14/2012 DeStefano 38

Questions?Questions?Questions?
Does taking compliance
out of the hands
of practicing lawyers
create
the type of change that is
needed
to ensure a culture of
compliance?
Or are these new compliance departments
just a formal solution to appease?
11/14/2012 DeStefano 39

“ A number of the early mover companies
that created compliance departments did
so as part of resolving a major mishap or
high profile problem -- so it was not
necessarily a best practice. But after a
number of major companies have done it
over the years, it starts to look like a best
practice. Once in that position, it becomes
hard for a major corporation to explain
why they don't need a compliance
department.” (FGC-2)
11/14/2012 DeStefano 40

Purpose: Explore 3 Questions
(i) What is “compliance”?
(ii) How is it managed, where is it
currently housed in large, publicly
traded corporations and why
(iii) Who Should Oversee Compliance:
What are the risks and benefits of having a
distinct compliance function run by non-
lawyers (or non-practicing lawyers) that
report to the CEO/Board?
11/14/2012 DeStefano 41

Research Methodology
Stage 1
• 2007 - completed before meltdown
• 40 brief interviews (avg. 8 min) with
General Counsels of S&P 500 corps in
banking, pharmaceutical, & petroleum
11/14/2012 DeStefano 42

Research Methodology
Stage 2
• 2010-present
• 30-40 in-depth interviews (avg 60 min)
with General Counsels and Chief
Compliance Officers of large, publicly
traded corporations
• 6 industries: Pharmaceutical, Energy,
Healthcare, Consumer Products, Financial
Services, and Misc
11/14/2012 DeStefano 43

Research Methodology
Stage 2 Goals:
1. 30-40 interviews comprising of 2 to 3
companies per industry
2. 1 ex-GC in each industry
3. 1 lower level compliance manager in each
industry
4. 1 to 2 nonpublic companies (GC and CCO)
5. 1 senior manager that works or used to
work in compliance at the SEC, OIG
6. 1 to 2 compliance consultants/activists
11/14/2012 DeStefano 44

Caveats
1. Sample size is very very low
2. Still in the process of coding some
interviews
3. This study is not comprised of a random
sample and is based on self-reports by
senior executives which arguably have
certain stories to tell
11/14/2012 DeStefano 45

Key Findings to Date: Stage 2
Who Oversees Compliance?
• GCs had ultimate responsibility for the
compliance function for the majority of
corporations interviewed
– But the Compliance Department is
considered distinct from the Legal
Department
– And the CCO has a dotted line to Board
11/14/2012 DeStefano 46

Key Findings to Date: Stage 2
Who Oversees Compliance?
• Where GC/CLO did not have ultimate
oversight, generally compliance was
overseen by a former in-house lawyer,
often the deputy general counsel, that
reports to the CEO with access to the
board
11/14/2012 DeStefano 47

Key Findings to Date: Stage 2
Who Oversees Compliance?
• Compliance Departments are made up of
a lot of lawyers
11/14/2012 DeStefano 48

Key Findings To Date:
Role of the CCO vs the GC?
11/14/2012 DeStefano 49

Problem often faced
by the CCO
is the giving of legal advice
...
Hard not to do
given the
nature and scope
of the job
and that often the CCO
was trained
as a lawyer
11/14/2012 DeStefano 50

Role of the CCO vs the GC?
Consensus Similarity
Legal and Compliance Departments
rely on
legal expertise and
have a shared goal
to increase compliance
with the law
11/14/2012 DeStefano 51

Role of the CCO vs the GC?
Consensus Distinction
The CCO focuses on
1) building policies and procedures;
2) monitoring adherence;
3) training and educating employees on
specific regulatory obligations; and,
4) testing employees on adherence.
11/14/2012 DeStefano 52

Role of the CCO vs the GC?
Claimed Distinction 1
Compliance Officers (vs. GC)
care about
preventing misconduct,
neutral fact finding,
acting in the interest of stakeholders,
uncovering misconduct,
ethics, and
culture
53

Role of the CCO vs the GC?
Claimed Distinction 2
Compliance Officers
have different reporting obligations,
aren‟t acting as lawyers,
and
can‟t garner
attorney-client privilege protection
54

Role of the CCO vs the GC?
Claimed Distinction 3
Compliance requires
management know-how in
training,
HR matters,
communications,
auditing,
and internal controls ,
While legal work
Requires
training in the law
55

Role of the CCO vs the GC?
Claimed Distinction 4
Lawyers
tell you what the law
says
and are concerned with
legal liability and
vigorously defending
the corporation
at all costs
56

Role of the CCO vs the GC?
Claimed Distinction 5
The lawyers
tell you whether you
can
do something,
and compliance
tells you whether you
should
57

Role of the CCO vs the GC?
Typical Quote
“The General Counsel‟s job is . . . to advise
[the company and senior managers] of the
legal risks but not initiate the conversation
over what is the right thing to do –
the General Counsel‟s job
is more black and white.”
58

But
these distinctions
appear
to be
a bit
artificial
11/14/2012 DeStefano 59

If you have a broad view
of the role of the GC;
If you believe
(as many do)
that the GC has
or should have
some gatekeeping
responsibilities
11/14/2012 DeStefano 60

If you think
The GC
should play
the role of counselor
in charge of
corporate culture
and ethics
and the corporate conscience
...
11/14/2012 DeStefano 61

Then
these
distinctions
are
a
bit
artificial
11/14/2012 DeStefano 62

Many GC interviewees saw these
distinctions in reverse
11/14/2012 DeStefano 63

They claimed
that the GC
(as opposed to the CCO)
is in charge
of the ethics
and corporate culture
and that the CCOs
can sometimes
be seen as just . . .
11/14/2012 DeStefano 64

Traffic Cops
11/14/2012 DeStefano 65

So
Perhaps
it is the
philosophy of the role
that matters
more
than
the titles
and segmentations
11/14/2012 DeStefano 66

A Typology of Roles:
Not All CCOs are Alike
11/14/2012 DeStefano 67

Automatan
11/14/2012 DeStefano 68

Investigator
11/14/2012 DeStefano 69

Mark Wahlberg: The Departed
11/14/2012 DeStefano 70

Spy
11/14/2012 DeStefano 71

Counselor
11/14/2012 DeStefano 72

Counselor
“I like to play the business card game with my CEO.
Whenever there is a tough conversation around
ethics and compliance and the law, I ask my CEO to
take out his business card. I point out, as we look
at the cards, that his card says „president, CEO, and
chairman.” My card says „VP, GC, and counsel.” I
explain that want to concentrate on the counsel
part. My card gives me the right to counsel you and
you can disregard it. But I get to say I told you so . .
.”
11/14/2012 DeStefano 73

Involved Parent
11/14/2012 DeStefano 74

Business Bottom Liner
11/14/2012 DeStefano 75

Scarecrow
11/14/2012 DeStefano 76

Which Way Do We Go?
11/14/2012 DeStefano 77

“Throughout the organization, we don‟t have
someone named as a compliance officer –
meaning that, if one person is in charge of
compliance, nobody else has to worry about
it.” (GC large petroleum company)
11/14/2012 DeStefano 78

Given that
there are so
many different
archetypes,
perhaps
the right
Question
is:
11/14/2012 DeStefano 79

What
are the
risks
and
benefits
of having
the two
Segregated
departments?
11/14/2012 DeStefano 80

Does
segregation,
in and of itself
create specific
negative
repercussions
or
positive
consequences?
11/14/2012 DeStefano 81

Risks if Combined:
Conflict of Interest
11/14/2012 DeStefano 82

Risks if Combined:
Shield of Secrecy
11/14/2012 DeStefano 83

Risks if Separate: Turf Wars
11/14/2012 DeStefano 84

Risks if Separate: Inefficiencies
11/14/2012 DeStefano 85

Risks if Separate: Communication
Issues & Loss of Shared Learnings
11/14/2012 DeStefano 86

Unidentified Risks if Separate:
Revival of the Legal Technician
11/14/2012 DeStefano 87

Unidentified Risks if Separate:
Decrease in Gatekeeping &
Counselor Role
11/14/2012 DeStefano 88

Unidentified Risks if Separate:
Increase in Information
Protected by the Attorney-Client
Privilege
11/14/2012 DeStefano 89

Unidentified Risks if Separate:
Terminator CCOs
11/14/2012 DeStefano 90

Unidentified Risks if Separate:
Increase in the UPL
11/14/2012 DeStefano 91

Unidentified Risks if Separate:
Increase in the UPL
“There is no such thing as a non-practicing
lawyer – purely practical – if you are a lawyer
you are a lawyer doesn‟t matter if licensed to
practice law or not – people look at you as a
lawyer and rely on you as it to dispense legal
advice despite of title . . and therefore in my view
I‟m a GC of company if one my lawyers screws up
– I‟m responsible - - I can‟t say that‟s lawyer in
compliance and I get by . . I think its functionally
wrong . . but reasonable people can differ”
11/14/2012 DeStefano 92

Unidentified Risks if Separate:
Rise of the Law Consultant not
bound by the MRPC
11/14/2012 DeStefano 93

Unidentified Risks if Separate:
Just Another Risk to be Managed
11/14/2012 DeStefano 94

Unidentified Risks if Separate:
Increase in Strict Liability?
11/14/2012 DeStefano 95

Unidentified Risks if Separate:
Just a Copy-Cat Move
11/14/2012 DeStefano 96

But the only way
to determine
who should oversee
compliance
and whether
the departments
should be segregated,
is to
agree on what are
the objectives
...
11/14/2012 DeStefano 97

Are the objectives
to increase
the corporation‟s
Compliance
with the
rule
of
law?
11/14/2012 DeStefano 98

Are the objectives
to increase
the corporation‟s
normative
commitment
to
compliance?
i.e., to establish
a culture
of compliance?
11/14/2012 DeStefano 99

Or are
the objectives
to enhance
the expectations
society has of lawyers
and their role
as gatekeepers,
counselors,
keepers of the corporate conscience?
11/14/2012 DeStefano 100

Arguably, the current
trend/mandate applauds
form over function and fails to
deliver
11/14/2012 DeStefano 101

Although
it is true
that the SEC has
claimed
it will
assess whether
a company
has a
“culture of compliance”
11/14/2012 DeStefano 102

Recent
Mandates
by
the government
including the SEC
do
not appear to
to be doing so.
They do NOT even
consider
11/14/2012 DeStefano 103

The Importance of Collaboration
to Effective Compliance & Culture
11/14/2012 DeStefano 104

Instead
they prize
Independence
and traditional
notions
of control
OVER
interdependency,
embeddedness
And collaboration
11/14/2012 DeStefano 105

They
emphasize
the
outward
formal
organizational
structures
and programs
...
as if they are
proxies
for effective compliance
11/14/2012 DeStefano 106

The Org Chart
11/14/2012 DeStefano 107

A Code of Conduct
11/14/2012 DeStefano 108

Training Manuals & Programs
11/14/2012 DeStefano 109

In order
to find
the critical gaps,
the focus should be
on the
Internal:
1) How people
interact
11/14/2012 DeStefano 110

Informal Cultural
Communication Norms
11/14/2012 DeStefano 111

It is the
hidden norms
and social networks
that impact
the choices
employees make
NOT
the public,
formal,
ethics programs,
codes of conduct,
and missions statements
11/14/2012 DeStefano 112

Researchers agree that
formal systems are
the weakest link
in the organization‟s
ethical infrastructure
and are typically
far eclipsed
by their informal
counterparts
11/14/2012 DeStefano 113

In order
to find
the critical gaps,
the focus should be
on the
internal:
2) How people
are
motivated
11/14/2012 DeStefano 114

Carrots? Or Sticks?
11/14/2012 DeStefano 115

While it is true
that many
compliance functions are
“route” or “check-the-box,”
and malfeasance with these task
is easy to uncover and
compliance is
easy to motivate
11/14/2012 DeStefano 116

When the choice
involves
non-routine tasks
and deliberation
involving
morals,
ethics,
personal preferences,
malfeasance is much harder to control with
carrots or sticks
11/14/2012 DeStefano 117

Indeed, monetary incentives
can take the good
out of doing good;
and If-then
carrots or sticks
neglect the ingredients
of
Genuine motivation
11/14/2012 DeStefano 118

External or Internal
11/14/2012 DeStefano 119

In order
to find
the critical gaps,
the focus should be
on the
internal:
2) How people make
ethical
decisions
11/14/2012 DeStefano 120

How Does Ethics Intersect with
Compliance and the Law?
11/14/2012 DeStefano 121

Compliance
initiatives
do not account
for the reality
that employees
do not necessarily
recognize a dilemma
as an
ethical one
11/14/2012 DeStefano 122

Many Ethical Dilemmas Result
from Blind Spots
11/14/2012 DeStefano 123

...
Think Pinto
...
Think The Challenger
11/14/2012 DeStefano 124

Desensitization and Ethical Fading
11/14/2012 DeStefano 125

Preliminary
Conclusions:
1) large, publicly traded
Corporations
should not
preemptively comply
with the government‟s
unofficial preference
towards stand alone
compliance departments
11/14/2012 DeStefano 126

Preliminary
Conclusions:
2) Instead of focusing
on the outward
form and structure
of an organization
or formal exemplifications
of compliance,
assessment should look inward,
at the informal communication,
value chains, and
culture of the company
11/14/2012 DeStefano 127

Preliminary
Conclusions:
3) Bonus points should be given
to those corporations
that take an inward look
at how work is actually
being done
and the networks
and ethical culture
that exists beneath and beyond
the Org chart,
the mission statement,
and the code of conduct
11/14/2012 DeStefano 128

Questions?Questions?Questions?
Are lawyers better Is the culture of the
able to run company determined
compliance than by the tone at the
nonlawyers? top? Or the tone at
Should them middle?
Compliance
be separate
from Legal?
Is having a compliance department more
important today than 5 years ago?
11/14/2012 DeStefano 129

MICHELE DESTEFANO
FOUNDER, LAWWITHOUTWALLS
Associate Professor of Law, MiamiLaw
md@law.miami.edu
11/14/2012 DeStefano 130